Between unrestricted access to customer data and complete transactional anonymity, a battle rages. Privacy advocates call for an opt-in approach to personal information gathering. Marketers salivate over the personalized, just-in-time offers they can only make if armed with enough data about their customers. The war is fought in congressional committee hearings and in organizations struggling to reconcile a privacy code of conduct with bottom-line profit motivations.

The CRM industry has created data collection and utilization tools intelligent enough to create customer service and marketing initiatives that speak specifically to an individual's needs and wants. But the practice of data collection, and its application to segment and target a customer base, is being seriously questioned. Several countries, including Canada and those in the European Union, have adopted strict policies on personal data use, and practices in the United states are coming under heavy scrutiny.

Finding an optimal middle ground in this issue is not going to be easy. "[Companies] are not sensitive to the issue that privacy is in the eye of the beholder," says Scott Nelson, vice president and research director at Gartner. "On the continuum [between personalization and privacy], where one stops and the other begins is going to vary by individual."

Even steadfast privacy advocates acknowledge that there is room for personalization. "I don't subscribe to this view that privacy and personalization are necessarily at odds," says Jason Catlett, president of privacy technology firm Junkbusters. "The best personalization is done in a privacy-friendly manner where all of the information is handled with the consent and knowledge and active participation of the consumer."

Yet data collection and personalized offers go well beyond explicit consent and active participation. Life events, such as the purchase of a new home or the birth of a baby, trigger floods of insurance offers. One catalog purchase suspiciously leads to the arrival of several other catalogs from seemingly unrelated vendors. With the increased velocity of customer contact and data exchange brought about through the Internet, there is a growing sense that companies simply know too much about consumers.

Ironically, much of the data in question may be useless. "There's a tremendous amount of incompetence among companies when it comes to customer information," says Don Peppers, partner with Peppers and Rogers Group. According to Peppers, firms that believe they are making sense of their massive data stores are often mistaken. "Companies are coming face-to-face with the fact that they have big, sophisticated databases full of garbage."

Nelson starkly frames the gap between the potential and reality of personalization data: Although he acknowledges that studies show personalization can make a sales approach up to four times more effective, "you could throw away virtually all of the data in the warehouse and be no worse off for it," he says. "That's not to say I'm not an advocate of capturing data, but you need a capturing strategy, and not go after any old piece of data just because you can get it." Adjusting to a world in which consumers select the mode and intimacy of interactions can help companies determine the appropriate amount of data needed to satisfy a customer request.

Do You Know? Do You Care?

To date, the bulk of corporate response to privacy concerns has revolved around establishing a privacy policy--a publicly available code of conduct that specifies what a company may do with a customer's information. But simply having a policy is not necessarily enough--it may take liberties some object to, and may not engage consumers enough to ensure that data is applied in an accurate and fair manner. "Consumers can't even find out how much information is being collected about them. That's why the principle of access is so important." Catlett says. But rare is the company or data agency that fully opens its files to consumers and invites verification or correction.

Knowing Too Much

The question of data ownership in an established customer relationship is not cut and dried. For example, "if I sell you a product, the fact that you've bought a product from me is just as much my information as it is your information," Peppers says.

The issue of data sharing further complicates the issue. Many companies keep consumer data away from third parties, but often share data across different internal divisions. Yet consumers may not consider themselves customers of every single division in a company.

Gartner's Nelson believes it is only a matter of time before party-by-party data sharing preferences are a necessary part of doing business. "It's the only way customers are going to be able to feel they have control of the situation."

Asking the Right People

While most companies with modern privacy policies allow the consumer to determine if he or she wants accumulated data shared with others, consumers remain unable to instruct a company not to solicit additional data from outside sources. "Part of it is that customers aren't even aware that a company may ask a third party," Nelson says.

Consumers may even inadvertently allow information they share with one party to be tied directly to them by another. Startup URpower created a software infrastructure that encourages users within a particular affinity group to download client software that asks for basic demographic information, 3-digit ZIP code and a list of personal preferences and interests. That data is provided to participating Web sites through a special browser cookie in exchange for more targeted offers and special group discounts. However, nothing stops a site that subscribes to URpower data from integrating the extensive list of information presented by the URpower cookie with any personal data it may collect during that user's session.

Industry seems unlikely to rush to support this particular privacy initiative. According to the Privacy Leadership Initiative (PLI), third-party data integration saves marketers enormous sums of money--savings that might be difficult to make up elsewhere. According to PLI statistics, apparel catalog merchants would have had to spend an extra $1.4 billion in marketing costs in 2000 alone if they were restricted from obtaining and retaining consumer data from outside sources.

Yet incorporating third-party information for personalization purposes offends many consumers. Amazon.com demonstrated this lesson to the world when it launched the Amazon Honor System, a payment service aimed at small Web sites looking to collect voluntary tithes from loyal visitors. Initially, the Amazon Honor System payment button would greet visitors by name if they were registered Amazon.com customers. The result was that sites that otherwise might not have known a visitor's name were now displaying that information proudly. Even though it was reasonably clear that the information came from Amazon.com and not the soliciting site, negative feedback quickly led Amazon.com to add an option to make the button anonymous and firmly establish that personal information is not shared with Honor System payees.

Everybody Does It

Companies often try to deflect privacy concerns by asserting that data collection, integration and application has been a standard business practice for decades. "The people who came into the online marketing world from the direct marketing world didn't want there to be a difference in rules...[in direct marketing] there is no opt-in, there's only opt-out, and they're upset that the rules were different," says Kim Weins, vice president of product marketing for marketing systems vendor Annuncio.

The Direct Marketing Association (DMA), for example, manages opt-out lists for e-mail, telephone and direct mail contact for its members. Traditionally, consumers who wished to opt-out of mailers and telemarketing contacts could be placed on a "delete" list that would remain valid for five years by sending a letter to the DMA. The DMA has added online registration, with a $5 fee for the privilege, without increasing the frequency of the list updates (still quarterly) or the duration of the opt-out. Since one of the primary benefits of e-commerce is lower transaction costs, intuitively the DMA's processing costs should be less for an electronic registration than for a physical letter, giving the $5 charge the distinct aroma of a disincentive.

Searching for Traffic Cops

Although CRM vendors are eager to be part of the privacy enforcement equation, they are often reluctant to take an active hand in it. Rather, they simply enforce the rules by which their corporate customers abide. "What our software allows people to do is make rules that can be supported," says Chris Bergh, chief technology officer of CRM marketing software vendor MarketSoft. "There's a judgment question that the marketer has to [answer] about when they want to intrude beyond those contact preferences the customer has put in, but if they're going to bypass our privacy controls without good reason, it's going to give [the company] a black eye."

Consider the difficult line walked by the direct marketing agency for the Minneapolis star Tribune. While the agency maintains a master opt-out list that applies to all campaigns it runs, it will bend the rules and allow companies to contact opted-out consumers it claims to own on its own rolls, as long as the client signs off and takes full responsibility for any repercussions.

Personalization Without Apology

Despite the uproar, the personalization industry still maintains it is providing a service that both companies and consumers want.Quoting findings from research conducted by the Personalization Consortium, Peppers claims that 87 percent of customers are annoyed when they are asked to provide the same information more than once, and 82 percent are willing to provide basic personal information, including age, gender and ethnicity in exchange for that organizational memory.

Here the irony rears its head once again: If the expert assessment of the state of most personalization efforts is to be believed, most consumers aren't even getting the targeted service they ask for when they turn over personal information. Even in the industries he considers most advanced in personalization and analytical CRM, AMR's Kevin Scott says that data collection and management is still so fragmented that integrating data within a company is an enormous challenge.

Consumers are worried about corporations knowing too much. Corporations are worried that tightening restrictions will reduce their ability to communicate with customers. And the CRM vendors in the middle just want the two to settle on rules everybody can live with. "Nothing is really as sophisticated as privacy advocates say, or as us business consultants want it to be," Peppers says.